stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

Add signal contracts for reachability, exploitability, trust, and unknown symbols
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Signals DSSE Sign & Evidence Locker / sign-signals-artifacts (push) Has been cancelled
Details
Signals DSSE Sign & Evidence Locker / verify-signatures (push) Has been cancelled
Details

Browse Source 
- Introduced `ReachabilityState`, `RuntimeHit`, `ExploitabilitySignal`, `ReachabilitySignal`, `SignalEnvelope`, `SignalType`, `TrustSignal`, and `UnknownSymbolSignal` records to define various signal types and their properties.
- Implemented JSON serialization attributes for proper data interchange.
- Created project files for the new signal contracts library and corresponding test projects.
- Added deterministic test fixtures for micro-interaction testing.
- Included cryptographic keys for secure operations with cosign.
This commit is contained in:
StellaOps Bot
2025-12-05 00:27:00 +02:00
parent b018949a8d
commit 8768c27f30
192 changed files with 27569 additions and 2552 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
etc/policy-engine.yaml.sample
View File

@@ -36,3 +36,11 @@ resourceServer:
bypassNetworks:
- "127.0.0.1/32"
- "::1/128"
# Rate limiting for simulation endpoints (WEB-POLICY-20-004)
rateLimiting:
enabled: true
simulationPermitLimit: 100 # Maximum requests per window
windowSeconds: 60 # Window duration in seconds
queueLimit: 10 # Requests queued when limit reached
tenantPartitioning: true # Enable per-tenant rate limits

46
etc/secrets/README.md Normal file
View File

@@ -0,0 +1,46 @@
# Secrets Directory
This directory contains sample/development secrets for local development and testing. **DO NOT** use these secrets in production environments.
## Available Keys
### DSSE Development Signing Key
**File:** `dsse-dev.signing.json`
A development-only HMAC-SHA256 signing key for DSSE (Dead Simple Signing Envelope) signatures. Used to sign offline kit manifests and schema catalogs during development.
**Key Details:**
- **Key ID:** `notify-dev-hmac-001`
- **Algorithm:** HMAC-SHA256
- **Secret:** Base64 of `development-signing-key-for-testing-only`
**Usage:**
```bash
# Sign a DSSE file with the development key
python scripts/notifications/sign-dsse.py <file.dsse.json>
# Or specify the key explicitly
python scripts/notifications/sign-dsse.py <file.dsse.json> --key etc/secrets/dsse-dev.signing.json
```
### CI/Production Signing
For CI and production environments, use:
- **COSIGN_KEY_REF** - Reference to cosign key for image/artifact signing
- **HSM-backed keys** - For production DSSE signing via Security team
CI workflows should never use the development key. The `secrets.COSIGN_KEY_REF` is injected via CI secrets management.
## Security Notes
1. **Never commit production secrets** - This directory is for development samples only
2. **Rotate keys regularly** - Development keys should be rotated when team members leave
3. **Use HSM for production** - Production signing must use HSM-backed keys
4. **Audit key usage** - All signing operations should be logged with keyId and timestamp
## Related Files
- `scripts/notifications/sign-dsse.py` - DSSE signing utility
- `src/ExportCenter/.../HmacDevPortalOfflineManifestSigner.cs` - Reference .NET implementation
- `docs/notifications/gaps-nr1-nr10.md` - NR9 offline kit with DSSE requirements

6
etc/secrets/dsse-dev.signing.json Normal file
View File

@@ -0,0 +1,6 @@
{
"keyId": "notify-dev-hmac-001",
"secret": "ZGV2ZWxvcG1lbnQtc2lnbmluZy1rZXktZm9yLXRlc3Rpbmctb25seQ==",
"algorithm": "HMACSHA256",
"note": "Development-only HMAC key for DSSE signing. DO NOT use in production. Secret is base64 of 'development-signing-key-for-testing-only'."
}